Ransomware Will Target Backups: 4 Ways to Protect Your Data

Backups are the best way to take control of your defense against ransomware, but they need protecting as well.

Ransomware has had a banner year so far. Two major attacks — WannaCry and NotPetya — have caused, conservatively, hundreds of millions of dollars in damages, while cybercriminals continue to target users' systems and data.

Proactive companies, however, do have options. The most consistent defense against ransomware continues to be good backups and a well-tested restore process. Companies that consistently back up their data and can quickly detect a ransomware attack should be able to restore their data and operations with a minimum of disruption.

In some cases, we have seen wiper malware such as NotPetya pretending to be Petya ransomware while serving a similar ransom note. In these attacks, the victims won't be able to get their files back even they pay the ransom — making the ability to restore from a backup even more critical.

For that reason, the cybercriminals — and, in some cases, nation-state agents — behind ransomware have begun targeting the backup processes and tools, as well. Several ransomware programs — such as the recent WannaCry (WannaCrypt0r) and the newer version of CryptoLocker — delete the shadow volume copies created by Microsoft's Windows operating system. Shadow copies are a simple method that Microsoft Windows provides for easy restoration.

On the Mac, cybercriminals targeted backups from the get-go. Researchers have discovered incomplete functions in the first Mac ransomware — released in 2015 — that targeted the disk used by the Mac OS X operating system's automated backup tool called Time Machine.

The strategy is straightforward: Encrypt the backup and individuals or companies are likely to lose the ability to restore data and are more likely to pay a ransom. Attackers are escalating their efforts beyond infecting single workstations and aim to destroy the backups, too.

Here are four recommendations to help companies protect their backups against ransomware attacks.

1. Be careful using network file servers and online sharing services.Network file servers can be easy to use and are always available, two attributes that make network-accessible "home" directories a popular way to centralize data and make it easy to back up. However, when exposed to ransomware, this type of data architecture has serious security weaknesses. Most ransomware programs encrypt connected drives, so the victim's home directory would be encrypted as well. In addition, any server that runs a vulnerable and highly targeted operating system like Windows could be infected, which would lead to every user's data being encrypted.

Thus, any company with a network file server needs to assiduously back up the data to a separate system or service, and specifically test the system's restore capability if faced with ransomware.

Cloud file services aren't immune to ransomware either. In 2015, Children in Film, a business providing information for child actors and their parents, got hit with ransomware. The company extensively used the cloud for its business, including a common cloud drive. Within 30 minutes of an employee clicking on a malicious e-mail link, more than 4,000 files stored in the cloud were encrypted, according to an article in KrebsOnSecurity. Fortunately, the company's backup provider was able to restore all of the files, even though it took almost a week to complete the process.

Depending on whether the cloud service provided incremental backups or easily managed file histories, recovering data in the cloud could be more difficult than an on-premises server.

2. Get visibility into your backup process.The earlier that a company can detect a ransomware infection, the more likely that the business can prevent significant corruption of data. Data from the backup process can provide early warning of a ransomware infection. A program that suddenly encrypts your data leaves signs in your backup log. Incremental backups will suddenly "blow up" as every file is essentially changed, and the encrypted files can't be compressed or deduplicated.

Monitoring vital metrics such as capacity utilization from the backup process on a regular basis — essentially, every day — can help companies detect when ransomware has infected a system inside the company and limit the damage from the compromise.

3. Consider your solution options.If ransomware can directly access backup images, then it will be very challenging if not impossible to stop it from encrypting corporate backups. For that reason, a purpose-built backup system that abstracts the backup data will be able to prevent ransomware from encrypting historical data.

By separating backups from your normal operating environment and making sure the process is not running on a general-purpose server and operating system, your backups can be hardened against attack. Backup systems based on the most commonly targeted operating system, Microsoft Windows, are prone to being attacked and make it much harder to protect your backup data.

4. Regularly test your recovery processFinally, backups are no good unless you can recover both reliably and quickly. Some victims of ransomware have had backups but still have had to pay the ransom because the backup schedule did not perform backups with enough granularity, or they were not backing up the data they thought they were backing up.

Part of testing the recovery process is determining the window of data loss. A company that does a full backup every week will lose up to a week of data should it need to recover after its last backup. Doing daily or hourly backups greatly increases the level of protection. More granular backups and detecting ransomware events as early as possible are both key to fending off damage.

In the end, companies should aim to detect ransomware attacks early through monitoring or anti-malware defenses, use a purpose-built system to maintain a separation between the backup data and a potentially compromised system, and regularly test the backup and restore process to ensure data is properly protected.

These efforts will keep backups at the top of the list of ransomware defenses and will reduce the risk of losing data in the event of an attack.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Rod Mathews serves as Senior VP & General Manager, Data Protection Business, for Barracuda. He directs strategic product direction and development for all data protection offerings, including Barracuda's backup and archiving products, and is also responsible for Barracuda's ... View Full Bio

And in several sets - onsite and offsite. Backups must be run on a risk-factor - how many days or hours is the firm comfortable with potential data loss upon restore. Most times, a 24 hour turn-around will suffice but it must be DAILY and rotational. Only then does one have true insurance.

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.